Support Azure AD tenant-specific authorization

My use case is I have added contractors to my Azure AD as guest accounts, but these users cannot log in to SonarCloud to view analysis reports.

After a lot of digging, I’ve concluded that Azure AD guest user accounts cannot log in to SonarCloud via Azure DevOps unless that guest account happens to reside in its own properly configured AD tenant. This is largely due to SonarCloud using the Microsoft common authorize endpoint for this login method which does not support guest accounts. This means that, when users log in to SonarCloud with Azure AD credentials, they’re logging in against their tenant, not mine. In the case of my contractor guest account users, they most likely have what Microsoft refers to here as “just-in-time” tenants that have not been configured or validated with their email domain, which causes login issues as I’ve detailed in the topic linked below.

My desired workflow, if possible:

  1. at least one member of the host/parent active directory needs to log in to SonarCloud with Azure DevOps/AD to create an organization.
  2. I’d suspect that you can get my Azure AD tenant Id from my user token, based on a Soncarcloud application is being added to my Azure AD tenant, but if not I would be happy to provide it in the organization settings and/or specify that my organization’s users will be logging in via Azure AD
  3. if users navigate directly to https://sonarcloud.io/organizations/[my org], instead of a 403 (as it currently does), could you query if my organization has been configured for Azure AD, query my organization’s tenant id, and redirect the user to the tenant-specific authorize endpoint instead of the common one? This would allow me, as an admin, to control user access to sonar through my AD.

Additionally, if a user goes through this workflow and successfully logs in, you could confidently auto-add them to my SonarCloud organization, which I have seen is another ask from users.

For reference, I have a question related to this feature request that triggered all this research that may be found here:

This may force me to cancel SonarCloud in favor of SonarQube, but I really don’t want to take on all of the operational overhead associated with that. So, if there’s anything I can do to help or if you need a guinea pig customer to help out, please let me know.

Thanks for the details Brian, I’m logging this in our backlog. I hope we can do something about it when Microsoft has released the new version of their Auth library - which we’ll want to use to fix various limitations we currently have.

Hi @engenb,

We recently made improvements on Microsoft Authentication, and, not only supporting personal account, we support the full MSAL system, with V2 authorization endpoint, which might help you in what you want to achieve.

Could you please test again and let us know ?

Thank you very much !

Mickaël